Dolmage v. Combined Insurance Company Of America

Filing
58

frw
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
ANNE DOLMAGE, individually and on
behalf of all others similarly situated,
Plaintiff,
)
)
)
)
)
v.)
COMBINED INSURANCE
OF AMERICA,
COMPANY
Defendant.
No. 14 C 3809
)
Chief Judge Rub6n Castillo
)
)
)
)
MEMORANDUM OPINION AND ORDER
Anne Dolmage ("Plaintiff') brings this putative class action against Combined Insurance
Company of America ("Defendant"). (R. 36, Am. Compl.) Presently before the Court is
Defendant's motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). (R. 41,
Def.'s Mot.) For the reasons stated below, the motion is denied.
RELEVANT FACTS
Plaintiff is a citizen of Missouri and is employed by the department store Dillard's. (R.
36, Am. Compl. fl 10.) Defendant is an insurance provider headquartered in Glenview, Illinois.
(ld. ]t
ll.)
Defendant provides a number of insurance products, including disability, accident,
health, and life insurance policies. (1d.) Plaintiff and other Dillard's employees purchased
insurance coverage from Defendant through their employer. (1d. fl 10.) Plaintiff purchased
insurance from Defendant in June 201
l,
and maintained her coverage
until
JluJy
2012.
(/d fl 10.)
The proposed class members are Dillard's employees who purchased insurance policies from
Defendant between March 2010 and March 2012, as well as their dependents covered under such
policies. (ld. n 41.) In the process of purchasing insurance from Defendant, Plaintiff and the
proposed class members provided Defendant with various types of personal information,
including their names, addresses, dates of birth, social security numbers, and insurance
enrollment and premium information. (/d. fl 3.)
Plaintiff alleges that she and other enrollees received from Defendant a document
entitled, "Our Privacy Pledge to You" (herein "Privacy Pledge"), along with other materials
relating to their policies. (Id.
\ a9; see also R. 36- 1, Privacy Pledge.) The Privacy Pledge
describes Defendant's handling of its insureds' personal information, and states that the company
"will not disclose personal information about you, or any current or former insured, except as
permitted and/or required by law." (R. 36-1, Privacy Pledge.) The Privacy Pledge further states
that Defendant "maintain[s] physical, electronic and procedural safeguards that comply with
federal regulations to guard your personal information," and that it "restrict[s] access to your
personal information to those employees who need to know such information." (ld.)The Privacy
Pledge acknowledges that Defendant may sometimes "share your information with a company or
business not
that
"if
officially connected to [Defendant] but who may do work on our behalf," but states
we do provide your information to any party outside of [Defendant] we will require them
to abide by the same privacy standards as indicatedhere." (Id.)
Defendant hired a third-party company called "Enrolltek" to perform insurance
enrollment functions and other tasks relating to Plaintiff s and other class members' applications.
(R. 36, Am. Compl. fl 12.) Defendant regularly provided Robert Diorio, the principal of
Enrolltek, with access to Plaintiff s and the proposed class members' personal information,
which was maintained in one or more databases on a server owned and controlled by Defendant.
(ld. n
B)
On more than one occasion, Defendant granted Diorio access to this personal
information so that he could copy it to an external hard drive. (Id. n 14.) This external hard drive
was not secure.
(Id.)Plaintiff alleges that for
a sixteen-month period, proposed class members'
personal information was "posted online, unsecure and unprotected," and was "accessible to
anyone with an Intemet connection ." (1d.fl 3.) According to the complaint, "[a]ll one had to do
was type in the name of Plaintiff or any other Class member into the Google search engine and
their [personal information] . . . would be included in the results." (1d )
On or about July 8, 2013, Defendant was notified about this data breach by some
Dillard's employees who, upon entering their names into the Google search bar, had discovered
that their personal information was readily available online. (ld. n
D.) In a letter dated July 26,
2013, Defendant formally notified Plaintiff and other class members that their personal
information had been "stored on an Intemet server by a third party enrollment system vendor
since
March2}l2 without the proper security measures." (Id. n22.) Defendant offered the class
members credit monitoring services for a one-year period. (Id.
\23;
see also R. 36-2, Breach
Notification Letter.)
Plaintiff alleges that the data breach "was a direct and foreseeable result of [Defendant's]
failure to adopt and maintain industry-standard and regulatory-compliant security measures to
safeguard and protect Plaintiff s and Class members' [personal information] from unauthorized
access, use, and disclosure." (R. 36, Am. Compl.
1T
36.) Plaintiff alleges that the breach was
caused by Defendant's "failure to ensure that Enrolltek implemented similar security measures"
to those employed by Defendant.(Id.) According to the complaint, Defendant knew prior to July
2013 that Enrolltek had posted files containing class members' personal information on its
unsecured website, "as Diorio emailed [Defendant] links to the files on the Enrolltek website."
(1d fl 80.) And yet, the complaint alleges, Defendant allowed class members' personal
information to remain on the website for over a year. (1d. fl 80.) Plaintiff alleges that these
actions and omissions violated the promises Defendant made in its Privacy Pledge to her and
other class members. (Id. n
l.)
The complaint alleges that because of Defendant's actions and omissions, Plaintiff and
the proposed class members have suffered economic damages and other injuries, including:
(l)
identity theft related losses, including but not limited to fraudulent income tax
returns, fraudulent use of credit to open financial and other accounts, and medical
fraud; (2) expenses and time to cure and remediate identity theft related losses,
including but not limited to f,rling police reports, defending against claims, credit
monitoring and insurance, and constant vigilance in detecting fraudulent account
activity; (3) expenses and time reasonably incurred to prevent future identity theft
related losses; and (4) loss of a contractual benefit in the form of maintenance of
industry-standard and regulatory-mandated privacy and security measures to
prevent against unauthorized disclosure of confidential [personal information].
(1d fl 83.) Plaintiff claims that because of the data breach, unknown individuals stole her
information and submitted a false income tax return in her name to the Internal Revenue Service,
allowing them to obtain her tax refund for 2013. (1d. fl 38.) She claims that unknown individuals
also incurred fraudulent cell phone charges and medical expenses in her name. (ld.nn 38-39.)
She alleges that she has spent time and money addressing these fraudulent charges and also had
her tax refund delayed.
(ld.) According to the complaint,
at least 30 other Dillard's employees
have reported being victims of identity theft following the data breach . (ld. n 40.)
PROCEDURAL HISTORY
On May 22,2014, Plaintiff filed a ten-count complaint against Defendant alleging claims
under the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. $ 1681 et seq., and state law claims
of
negligence, breach of fiduciary duty, breach of express contract, breach of implied contract,
unjust enrichment, invasion of privacy, and violation of the Illinois Insurance Code,
2l5[tt.
Covp. Srar. 5/1001 et seq. (R. 1, Compl.) Defendant moved to dismiss all counts of the
complaint pursuant to Rule 12(bX6). (R. 20, Def.'s Mot. to Dismiss.) In a memorandum opinion
and order issued on January 27,2015, the Court dismissed all of
Plaintiff s claims with
prejudice, except for the breach of express contract and breach of fiduciary duty claims.
Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809,2015 WL 292947, at *3-10 (l{.D. Ill. Jan.
21,2015). These two claims were dismissed with leave to replead them in an amended complaint
after the parties engaged in certain limited discovery. Id. at*10.
On September 25,2015, Plaintiff filed her amended complaint asserting only the breach
of contract claim. (R. 36, Am. Compl. flfl 47-83.) Defendant now moves for dismissal under Rule
I
2(b)(6), arguing that Plaintiff has again failed to allege a plausible breach of contract claim. (R.
41, Def s Mot.) Plaintiff opposes the request for dismissal, (R. 48, Pl.'s Resp.), and Defendant
has filed a reply in support of its request, (R. 50, Def.'s Reply).
LEGAL STANDARI)
Under federal pleading standards, a complaint must contain a "short and plain statement
of the claim showing that the pleader is entitled to relief." Fpo. R. Ctv. P. 8(aX2). A Rule
12(bX6) motion "challenges the viability of a complaint by arguing that it fails to state a claim
upon which relief may be granted." Camasto v. Jos. A. Bank Clothiers,
Inc.,76l F .3d 732,736
(7th Cir. 2014).ln deciding a Rule 12(b)(6) motion, the Court construes the complaint in the
light most favorable to the non-movant, accepts all well-pleaded factual allegations
as true, and
draws all reasonable inferences in the non-movant's favor. Vesely v. Armslist LLC,762 F.3d 661,
664-65 (7th Cir. 2014). The Court can consider "allegations set forth in the complaint itself,
documents that are attached to the complaint, documents that are central to the complaint and are
referred to in it, and information that is properly subject to judicial notice."l Williamson v.
Curran,
7
14 F.3d 432, 436 (7th Cir. 201 3).
To survive dismissal, a complaint must "contain sufficient factual matter . . . to 'state a
claim to relief that is plausible on its face."' Ashcroft v. Iqbal,556 U.S. 662, 678 (2009) (quoting
Bell Atl. Corp. v. Twombly, 550 U.S. 544,570 (2007)). "A claim has facial plausibility when the
plaintiff pleads factual content that allows the court to draw the reasonable inference that the
defendant is liable for the misconduct alleged."
Id.ltis
not enough for the plaintiff to allege
"[t]hreadbare recitals of the elements of a cause of action, supported by conclusory statements."
rd.
By the same token, "the Supreme Court has signaled on several occasions that it has not
amended the rules of
civil procedure sub silentio to abolish notice pleading and return to the old
fact pleading standards that pre-dated the modern civil rules." Alexander v. United States, T2l
F.3d 418, 422 (7th Cir. 2013). Thus, a plaintiff is not required to include "detailed factual
allegations" to suryive a motion to dismiss. 1d Nor is "plausibility" the same as "probability,"
and
it is therefore inappropriate for the Court to "stack up inferences side by side and allow the
case to go forward only
if the plaintiff
s inferences seem more compelling than the opposing
inferences." Id. (citation omitted). Instead, "the plausibility requirement demands only that a
plaintiff provide sufficient detail to present a story that holds together." Id. (intemal quotation
marks and citation omitted).
attached the Privacy Pledge and the letter from Defendant notifoing her of the data breach to
her amended complaint. (R.36-1, Privacy Pledge; R.36-2, Breach Notification Letter.) Additionally,
Defendant has submitted the insurance policy and related documents that were mailed to Plaintiff,
including an additional copy of the Privacy Pledge. (R. 42-1, Insurance Materials at 1-41.) Defendant
asserts that Plaintiff produced these documents in discovery. (R.42, Def.'s Mem. at 2-3.) Plaintiff does
not contradict this assertion, nor does she object to the Court's consideration of these documents or
question their authenticity. (See R. 48, Pl.'s Resp.) Because these documents are referenced in the
amended complaint and are central to Plaintiff s claim, they will be considered in connection with the
' Plaintiff
motion. See l[rilliamson,
7
14
F
.3d at 436.
ANALYSIS
This lawsuit now boils down to one claim: that Defendant breached the promises made in
its Privacy Pledge in connection with the handling of Plaintiff
s
personal information, resulting
in the theft of this information and attendant damages. (R. 36, Am. Compl. flfl 1-7.) In Plaintiff
s
view, the Privacy Pledge was part of the insurance policy she and other class members obtained
from Defendant. (Id. fl 4S.) Defendant disagrees that the Privacy Pledge was incorporated into
the parties' insurance policy or that is otherwise enforceable in a breach of contract action. (R.
41, Def.'s Mot. at 2-3.)
Under Illinois law, "[a]n insurance policy is a contract, and its construction is reviewed
de novo as a question of law."2
Barthv. State Farm Fire & Cas. Co.,886 N.E.2d 976,982
(lll.
200S). To establish breach of contract, "a plaintiff must show the existence of a valid and
enforceable contract, performance of the contract by the plaintiff, breach of the contract by the
defendant, and resulting injury to the plaintiff." Carlton at the Lake, Inc. v. Barber,928 N.E.2d
1266,1270 (Ill. App. Ct. 2010). The elements of a valid contract consist of "offer and
acceptance, consideration, and definite and certain terms."
Id.ln interpreting
an insurance policy,
"a court's primary objective is to ascertain and give effect to the intentions of the parties as
expressed by the words of the policy." Cent.
(Ill. 2004). The policy must
Ill. Light Co. v. Home Ins. Co., 821 N.E.2d206,213
be "construed as a whole, giving effect to every provision,
if
possible, because it must be assumed that every provision was intended to serve a purpose."
1d.
Additionally, "[i]f the words used in the policy are clear and unambiguous, they must be given
their plain, ordinary, and popular meaning." Id. Conversely, "if the words used in the policy are
reasonably susceptible to more than one meaning, they are ambiguous and will be strictly
2
The parties agree for purposes of the present motion that
6 n.3; R. 48, Pl.'s Resp. at 8-1 1.)
lllinois law applies. (See R. 42,Def.'s Mem. at
construed against the drafter." Id.; see also Outboard Marine Corp. v. Liberty Mut. Ins. Co.,607
N.E.2d 1204,l2l7 (Ill. 1992) ("Ambiguous terms are construed strictly against the drafter of the
[insurance] policy and in favor of coverage.").
I.
Incorporation of the Privacy Pledge
Defendant first argues that Plaintiff "fails to allege sufficient facts supporting her
conclusory contention that [Defendant] entered into an agreement with Plaintiff that incorporated
[Defendant's] Privacy Pledge." (R. 41, Def.'s Mot. at 2.) It is worth noting again that under
federal pleading standards, Plaintiff does not have to include "detailed factual allegations" to
survive dismissal. Alexander, T2l F.3d at 422. Because notice pleading standards apply, the
question is whether Plaintiff has alleged enough detail to "present a story that holds together." Id.
(citation omitted). In the amended complaint, Plaintiff alleges that Defendant "entered into
agreements" with Plaintiff and the proposed class members that "incorporated the terms in
[Defendant's] Privacy Pledge." (R. 36, Am. Compl. fl 48.) She further alleges that she received a
copy of the Privacy Pledge from Defendant "with other materials relating to her application for
health insurance." (ld.n 49.) These allegations must be accepted as true at this stage. Vesely,762
F.3d at 664.
Defendant submits the policy and related documents that were sent to Plaintiff with her
policy, and argues that these documents "leave no doubt that the Privacy Pledge, as a matter of
law, was not part of the insurance contract between Plaintiff and [Defendant]." (R. 42,Def.'s
Mem. at7; see alsoP..42-l,Insurance Materials at l-41.) The documents are not nearly as
straightforward as Defendant suggests.
The insurance policy provides in pertinent part: "The policy is a legal contract. It is the
entire contract between you and us. . . . Any change to it must be in writing and approved by us.
Only our President or one of our Vice-Presidents can give our approval." (R. 42-1, [nsurance
Materials at l1 (emphasis added).) It would appear that this language was intended as an
integration clause, and Plaintiff does not argue otherwise. See Westlake Fin. Grp., Inc. v. CDH-
Delnor Health Sys.,25 N.E.3d 1166,1171 (lll. App. Ct. 2015) (contract provision stating, "[t]his
Agreement is the complete and exclusive agreement between the parties" constituted an
integration clause). "[W]here parties formally include an integration clause in their contract, they
are explicitly manifesting their intention to protect themselves against misinterpretations which
might arise from extrinsic evidence." Air Safety, Inc. v. Teachers Realty Corp.,706 N.E.2d 882,
88s
(ilI. r99e).
The matter is complicated, however, because the policy also expressly incorporates by
reference certain extraneous documents. Specifically, it defines "policy" as "this policy with any
attached application(s), and any riders and endorsements." (R. 42-1, Insurance Materials at l1
(emphasis added).) The policy's table of contents specifies that "[a] copy of the application and
any riders and endorsements follow page 17." (ld. at 6.) As the documents have been submitted
to the Court, there are several documents following page 17, including the Privacy Pledge. (See
id. at39.) Based on the manner in which the Privacy Pledge was given to her, Plaintiff argues
that this document qualifies as an endorsement. (R. 48, Pl.'s Resp. at 12.) Defendant responds
that the Privacy Pledge could not possibly constitute an endorsement under the plain meaning
of
that term.3 (R. 50, Def.'s Reply at 4-6.)
3
Defendant criticizes Plaintiff for raising different legal theories during the course of this litigation as to
why the Privacy Pledge is enforceable.(SeeR.42, Def.'s Mem. at 14 n.6; R. 50, Def.'s Reply at 3-4.) To
the extent Plaintiff has done so, her actions were not improper. See Albiero v. City of Kankakee, 122 F .3d
417 , 419 (7th Cir. 1997) ('[M]atching facts to a legal theory was an aspect of code pleading interred in
1938 with the adoption of the Rules of Civil Procedure. . . . tAl plaintiff may substitute one legal theory
for another without altering the complaint." (internal citation omifted)). It is also worth noting that
Plaintiff was given express permission to replead her breach of contract claim, and the limited discovery
that occurred may well have led her to include different allegations or theories in the amended complaint.
t!
"[A]n endorsement has been defined
as being
merely an amendment to an insurance
policy; a rider." Alshwaiyat v. Amer. Serv. Ins. Co.,986 N.E.2d
l82,l9l (Ill. App. Ct. 2013)
(intemal quotation marks and citation omitted). A "rider," in turn, is def,rned as "[a]n attachment
to some document, such as . . . an insurance policy, that amends or supplements the document."
BLecr's Law DtcrtoNARy (lOth ed. 2014). The Court disagrees with Defendant that the Privacy
Pledge could not possibly satisfy these definitions. Plaintiff alleges that the Privacy Pledge
accompanied the policy that was mailed to her, and this document can be read to supplement the
policy by providing additional benefits to insureds regarding the handling of their personal
information. The policy does require that endorsements be approved by Defendant's president or
one
if its vice-presidents, (R. 42-1, Insurance Materials at 1l), but the Privacy Pledge states that
it was authored by Defendant's "Chairman, President and Chief Executive Officer." (R. 36-1,
Privacy Pledge.)
Defendant argues that "an endorsement must be properly attached to the policy so as to
indicate that it and the policy are parts of the same contract and must be construed together." (R.
50, Def.'s Reply at 5 (citation omitted).) But again, Plaintiff alleges that the Privacy Pledge was
sent to her along with the policy documents, and the Court must accept this allegation as true. (R.
38, Am. Compl. fl 49.) The policy itself states that the documents following page 17 are
considered part of the policy, which would appear to include the Privacy Pledge. (R. 42-1,
Insurance Materials at 6, 39 .) Based on Plaintifl s allegations and the language of the policy, her
claim that the policy incorporated the Privacy Pledge is not implausible. See W.W. Vincent & Co.
v.
First Colony Life Ins. Co.,8l4N.E.2d 960,966 (Ill. App. Ct.2004) (where integration clause
included reference to extraneous documents delivered with the contract, plaintiffs were not
precluded from stating a claim for breach of contract based upon those extraneous documents).
10
Defendant could have avoided any ambiguity by clearly labeling the documents sent with
the policy that were intended to be incorporated by reference, but it did not do so.a (See R. 42-1,
Insurance Materials at22-41.) Or defendant could have drafted an integration clause that did not
reference outside documents, in which case Plaintiff would have been precluded from relying on
outside documents to assert a breach of contract claim. See Air Safety, Lnc.,706 N.E.2d at 885.
But that is not how the policy was drafted, and any ambiguities must be construed against
Defendant. See Cent. Ill. Light Co.,82l N.E.2d at2131' Outboard Marine Corp.,607 N.E.2d at
l2lT.Therefore, the Court rejects Defendant's argument that the contract documents foreclose
Plaintiff
II.
s claim as a matter
of law.
Reliance
Defendant also argues that Plaintiff s claim fails because she "nowhere alleges that she
relied on or read the Privacy Pledge, or even was aware that it existed, before she agreed to the
insurance contract." (R.42, Def.'s Mem. at 8.) However, reliance is not one of the elements of a
breach of contract claim under lllinois law. See Barber,928 N.E.2d at 1270. Defendant cites
several cases from other jurisdictions in support of its argument, but aside from the fact that
these cases are not binding authority and do not interpret
Illinois law, the Court finds them
distinguishable on the facts. (See R. 42, Def.'s Mem. at 8 (collecting cases).)
ln Austin-Speorman v. AARP, ---- F. Supp. 3d ----, 2015 WL 4555098 (D.D.C. July 28,
2015), the plaintiff purchased a membership with AARP, Inc. through the organization's website
and subsequently opted to create an online
account-which was not
a requirement
of
membership nor limited to members only--during which process she reviewed and agreed to the
organization's privacy policy. She claimed that some of her personally identifiable information
a
For instance, one of the documents accompanying the policy includes the prominent disclaimer: "THIS
IS A PROPOSAL AND IS NOT PART OF THE CONTRACT." (R.42-1, Insurance Materials at 30.)
The Privacy Pledge contains no such disclaimer. (See R.36-1, Privacy Pledge.)
11
was obtained by a third-party social network through AARP's website, which caused her
"surprise and outrage." Id. at*2-*3, *6. The court concluded that the plaintiff had suffered no
actual injury and thus lacked standing under Article III of the U.S. Constitution. Id. at *7 . The
court commented in dicta that AARP's privacy policy "indisputably applie[d] to members and
non-members alike," and that "a promise that is offered freely and equally to all people-without
regard to who has provided consideration and who has
not-is not a contract." Id. at *8.
This case is weak support for Defendant's argument here, as this Court is not deciding
whether Plaintiff suffered an injury for purposes of Article
III standing, nor is there anything in
the documents to reflect that the Privacy Pledge was "offered freely and equally to all people."
To the contrary, it is apparent from the language of the Privacy Pledge that it was directed
exclusively to Defendant's insureds. (See R. 36-1, Privacy Pledge.)
The other cases cited by Defendant are also of limited relevance. In Willingham v. Global
Payments,lnc., No. 1:12-CV-01 157-RWS,2013 WL 440702 (N.D. Ga. Feb. 5, 2013), the
plaintiffs provided their personal data to
a merchant,
who in turn provided the data to the
defendant. The magistrate judge, applying Georgia law, recommended that the plaintiffs not be
permitted to pursue a contract claim against the defendant based on an alleged violation of the
defendant's privacy policy, given the lack of any relationship between the parties and the lack
of
support for the plaintiffs' argument that they were intended third-party beneficiaries of the
privacy policy. Id. at*20-21. Here, Plaintiff and the proposed class members provided their
personal information directly to Defendant, and they are not proceeding on an implied contract
t2
or third-party beneficiary claim.s Instead, their argument is that they contracted directly with
Defendant, and that the Privacy Pledge was part of that contract.
Defendant also cites Azeltine v. Bank of America, No. CV 10-218-TUC-RCC (HCE),
2010 WL 6511710 (D. Ariz. Dec. 14, 2010), in which the district court applied Arizona law to
conclude that a bank's privacy policy was not an enforceable contract. The court in Dyer
v.
Northwest Airlines Corps.,334 F. Supp. 2d 1196 (D.N.D. 2004), reached a similar conclusion
under North Dakota law, holding that an airline's privacy policy posted on its website does not
constitute a "contract." These cases are distinguishable, however, because Plaintiff is not
attempting to enforce the Privacy Pledge as a stand-alone contract. Rather, her argument is that
the Privacy Pledge was part of the parties' insurance agreement. (See R. 48, Pl.'s Resp. at 9-10.)
Thus, the Court finds these cases unpersuasive.6
m.
Timing of Plaintiff
s Receipt
of the Privacy Pledge
Defendant also argues that the Privacy Pledge could not possibly be part of the insurance
policy because "Plaintiff received the Privacy Pledge after the insurance contract had been
entered." (R. 41, Def.'s Mot. at 2.) As is explained above, the language of the policy and the
manner in which Plaintiff alleges that the Privacy Pledge was conveyed to her plausibly suggests
that it was intended to be part of the parties' agreement. Indeed, "[t]ransactions in which the
5
Plaintiff raised an implied contract claim in her original complaint, but this claim was dismissed with
prejudice after the Court determined that an express contract-the insurance policy-governed the
parties' relationship . Dolmage,20l5 WL 292947, at *7-8 see also Maness v, Santa Fe Park Enters., Inc.,
700 N.E.2d 194,200 (lll. App. Ct. 1998) ("[A]n implied contract cannot coexist with an express contract
on the same subject.").
u
Notably, there are other cases from outside jurisdictions permitting claims like Plaintiff s to proceed past
thepleadingstage.See, e.g., Resnickv.AvMed,Inc.,693 F.3d 1317,1322-27 (l1thCir.20l2)(members
of health care plans adequately alleged breach of contract and other claims against plan operator
stemming from identity thefts that occurred after unencrypted laptops containing members' sensitive
personal information were stolen from plan operator's corporate office); Claridge v. RockYou, lnc.,785 F.
Supp. 2d 855, 865 (N.D. Cal. 2011) (account holder adequately stated claim for breach of privacy policy
by developer of online services for allegedly storing his personal information on an unsecure server).
13
exchange of money precedes the communication of detailed terms are common." ProCD, Inc. v.
Zeidenberg, 86 F.3d 1447,1451 (7th Cir. 1996). The U.S. Court of Appeals for the Seventh
Circuit offered the following illustrations:
Consider the purchase of insurance. The buyer goes to an agent, who explains the
essentials (amount of coverage, number of years) and remits the premium to the
home office, which sends back a policy. On the district judge's understanding, the
terms of the policy are irrelevant because the insured paid before receiving them.
Yet the device of payment, often with a "binder" (so that the insurance takes
effect immediately even though the home office reserves the right to withdraw
coverage later), in advance ofthe policy, serves buyers' interests by accelerating
effectiveness and reducing transactions costs. Or consider the purchase of an
airline ticket. The traveler calls the carrier or an agent, is quoted a price, reserves
a seat, pays, and gets a ticket, in that order. The ticket contains elaborate terms,
which the traveler can reject by canceling the reservation. To use the ticket is to
accepttheterms....
Id.
In Hill v. Gateway 2000, Inc.,l05 F.3d
ll47 (7thCir.1997),
the Seventh Circuit
extended this reasoning to a case involving computers purchased over the telephone. The
computers arrived with a list of terms that was "said to govern unless the customer return[ed] the
computer within 30 days." Id. at 1148. The Seventh Circuit reasoned that because the customer
had an opportunity to return the computer after reading the additional terms included
those terms were
fully enforceable . Id. at ll48-49. This was true even if the customer did not
actually read the additional terms. Id. at
Servs. Co.,
with it,
ll49; see also Kaufman
v. Am. Exp. Travel Related
No. 07 C 1707,2008 WL 687224, at *6 (N.D. Il1. Mar. 7,2008) ("Courts have held
that a consumer accepts terms, read or not, upon using a product . . . where an opportunity to
avoid the undesirable terms exists.").
Accepting Plaintiff s allegations as true and affording her all reasonable inferences, the
complaint alleges that Plaintiff received the Privacy Pledge at the same time she received her
l4
policy and other materials.T (R. 35, Am. Compl.'U 49.) The documentation reflects that this
occurred in June 2011. (R.42-1, Insurance Materials at 2.) Under the terms of the policy,
Plaintiff had an opportunity to review those materials and cancel within 30 days if she wished, in
which case Defendant would "treat the policy as if it had never been issued," including refunding
any premiums that were paid. (Id. at 5; see alsoP..42, Def.'s Mem. at I
l.) Plaintiff did not
cancel, however, and instead asserts that she retained the policy until July 2012. (R. 35, Am.
Compl.
lT 10.)
Her retention of the policy constituted an acceptance of its terms, rendering those
terms enforceable. See ProCD, 86 F.3d at
l45l; Hill,105
F.3d at 1148. Therefore, the Court
finds Defendant's argument unavailing.
IV.
Consideration
Defendant also argues that "[t]he Privacy Pledge is a unilateral statement of company
policy and cannot stand as consideration." (R. 41, Def.'s Mot. at 2.) "[C]onsideration is the
bargained-for exchange of promises or performances, and may consist of a promise, an act or a
forbearanc e." Mclnerney v. Charter Golf, lnc.,680 N.E.2d 1347 , 1350
(Ill.
1997); see also
Johnson v. Maki & Assocs., Lnc.,682 N.E.2d 1196,1199 (Ill. App. Ct. 1997) ("Consideration for
a contract consists either
of some right, interest, profit, or benefit accruing to one party or some
forbearance, detriment, loss of responsibility given, suffered, or undertaken by the other.").
7
The Court notes that Plaintiff s application for insurance benefits, which is incorporated by reference in
the policy and attached thereto, contains an acknowledgement that Plaintiff received various documents in
connection with her application, including a "Notice of Information Practices" and an "Accelerated
Benefit Disclosure." (R. 42- 1 , Insurance Materials at 25 .) Defendant asserts that Plaintiff applied for
benefits by telephon e, (see R. 42, Def.'s Mem. at l0), such that it can be reasonably infened that these
documents were actually sent to her at a later date. The "Accelerated Benefit Disclosure" was one of the
documents included with the policy materials. (R.42-l,lnsurance Materials at24.) Although neither
party addresses this issue, it seems plausible that the 'Notice of Information Practices" was in fact the
Privacy Pledge that was sent to Plaintiff at the same time. Although the evidence may ultimately show
that they are not the same documents, this ambiguity lends further support to Plaintiff s claim.
l5
Defendant's argument is somewhat confusing, but to the extent Defendant is arguing that
the Privacy Pledge must meet all the independent requirements of a contract, including being
supported by adequate consideration, the Court disagrees. Plaintiff is not seeking to enforce the
Privacy Pledge as an independent contract; rather, she is claiming that the Privacy Pledge was
incorporated into the parties' insurance agreement. (See R. 48, Pl.'s Resp. at 9-10, 13-14.) There
was clearly consideration for the insurance agreement (Plaintiff s premiums in exchange for
insurance coverage), and Defendant does not argue otherwise.
Within this argument, Defendant also suggests that the Privacy Pledge is unenforceable
because
it "is nothing more than a statement that [Defendant] is complying with its pre-existing
duties to follow applicable federal regulations." (R.42, Def.'s Mem. at 13.) Defendant is correct
that a party's promise to do "what it is already legally obligated to do" does not give rise to
contractual rights. See Johnson,682 N.E.2d at
Stores, Inc., 3 F. Supp. 2d 952,967
ll99;
see also GLS Develop., Inc.
v. Wal-Mart
(l{.D. Ill. 1998) ("Black letter law teaches that a promise to
do or to pay something that the promisor is already bound to do or to pay provides no
consideration for the other party's promise in exchange, so that the other party's promise is not
legally enforceable."). As Defendant points out, the Privacy Pledge references Defendant's
compliance with unspecified "federal regulations."s (R. 36-1, Privacy Pledge). But the Privacy
8
In the amended complaint, Plaintiff includes extensive allegations about Defendant's compliance with
the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 C.F.R. Parts 160 and
164, the FederalTrade Commission Act, l5 U.S.C. $ 45(a), and the Gramm-Leach-Bliley Act, 15 U.S.C.
$ 6801 et seq. (See R. 36, Am. Compl. tTfl 57-81.) The exact purpose of these allegations is unclear, as
Plaintiff does not purport to raise a claim under any of these federal laws, and instead couches her claim
solely in terms of breach of contract. For completeness, the Court notes that none of these provisions have
been interpreted to provide a right of action for private individuals like Plaintiff. See e.g., Carpenter v.
Phillips,4l9 F. App'* 658, 659 (7th Cir. 2011) ("HIPAA does not furnish a private right of action.");
Int'l Tax Advisors, Inc. v. Tax Law Assocs., ZZC, No. 08 C 2222,201 I WL 612093, at *5 (N.D. Ill. Feb.
15,2011) (no private right of action exists for a violation of the Federal Trade Commission Act); Am.
Family Mut. Ins. Co. v. Roth,No. 05 C 3839,2005 WL 3700232, at *6 (N.D. Ill. Aug. 5,2005) (no
private right of action exists for a violation of the Gramm-Leach-Bliley Act).
t6
Pledge contains other provisions unrelated to Defendant's compliance with federal law. For
instance, it provides that Defendant will restrict access of insureds' personal information "to
those employees who need to know such information," and further, that
if insureds' personal
information is shared with a third party, Defendant will "require them to abide by the same
privacy standards as indicated here." (R. 36-1, Privacy Pledge.) The amended complaint
plausibly alleges that Defendant breached these provisions when it provided class members'
personal information to Enrolltek without ensuring that Enrolltek properly limited the disclosure
of that information. (See 36, Am. Compl. tTfl 1-5, l3-18.) Therefore, the Court rejects
Defendant's argument.
V.
Breach of the Privacy Pledge
Defendant also argues that even if the Privacy Pledge is enforceable, "Plaintiff has not
sufficiently pled that [Defendant] breached the Privacy Pledge, which contemplates that
[Defendant] will share personal information with third parties who do work on [Defendant]'s
behalf." (R. 41, Def.'s Mot. at 3.) As Defendant points out, the Privacy Pledge does provide that
"sometimes,wemay...shareyourinformationwithacompany...whomaydoworkonour
behalf." (R. 36-1, Privacy Pledge (emphasis in original).) However, the Privacy Pledge also
promises that
o'require
if insureds' personal information is provided to any third parties, Defendant will
them to abide by the same privacy standards" that are employed by Defendant. (/d )
Accepting Plaintiff s allegations as true, she has plausibly alleged a series of events showing that
Defendant failed to take adequate steps to ensure that Enrolltek limited access of insureds'
personal information under the same standards employed by Defendant. (See 36, Am. Compl.
flfl l-5, 13-18, 55.) If Defendant knew the data was not being handled securely and did nothing to
remedy the situation, as Plaintiff alleges, it certainly cannot be said that Defendant "required"
t7
Enrolltek to comply with its privacy standards. Therefore, the Court finds Defendant's argument
unavailing.
VI.
Causation
Defendant's final argument is that Plaintiff has not sufficiently alleged that Plaintiff
s
claimed damages were the result of Defendant's conduct. (R. 41, Def.'s Mot. at 3.) Defendant
believes that the complaint falls short because "Plaintiffls alleged damages do not arise out
of
[Defendant's] conduct, but rather out of the acts of third parties-namely, Enrolltek . . . and the
unidentified third party thieves who stole her data." (R.42, Def.'s Mem. at 16.) In Defendant's
view, "Plaintiffs' [personal information] could have been compromised by any number of
sources (e.g.,her use of a department store credit card that is involved in a security breach)
entirely unrelated to her [personal information] provided to [Defendant].-e (Id.)
There is no question that Plaintiff will ultimately be required to prove that her damages
were caused by Defendant's actions. See In re lllinois Bell Tel. Link-Up 11,994 N.E.2d 553, 558
(Ill. App. Ct. 2013) ("The
basic theory of damages in a breach of contract action requires that a
plaintiff establish an actual loss or measurable damages resulting from the breach in order to
recover. . . . Damages which are not the proximate cause of the breach are not allowed." (internal
quotation marks and citations omitted)). But, again, the issue at the pleading stage is solely
e
Defendant cites to Slaughter v. AON Consulting,lnc., No. 10C-09-001 FSS, 2012 WL 1415772 (Del.
Super. Ct. Jan. 31,2012), in support of its argument, and although that case also involved a data breach, it
has little relevance here. The Delaware court dismissed for lack of standing after giving the plaintiffs an
opportunity to present expert testimony to establish that they were injured by the defendant's actions. 1d.
at*2-4. The present motion does not attack Plaintiffs standing, nor has Plaintiff had an opportunity to
present expert testimony to establish the cause ofher injuries. Indeed, Defendant appears to concede that
the standing analysis has little application here, as Defendant distinguishes one of the cases cited by
Plaintiff on this same ground. (See R. 50, Def.'s Reply at 13.) Defendant also cites to Clinical Radiologt
Associates, P.C. v. Kim, No. 1-96-0353, 1996 WL 33576909 (lll. App. Ct. Dec. 17,1996), for the
proposition that "[P]laintiff must plead facts which show that it suffered damages as a consequence of the
breach." (R. 50, Def.'s Reply at 12.) That case is also of limited assistance because federal notice
pleading standards apply to the present motion, not the fact pleading standard employed by lllinois courts.
See Alexander, T2l F .3d at 422; see also Albiero, 122 F .3d at 419 ("Some states, including Illinois, use
fact pleading to this day, but federal courts took a different path 59 years ago.").
t8
whether Plaintiff has stated a plausible claim for relief. See Ashcroft, 556 U.S. at 678; Alexander,
721 F.3d at 422.
To that end, Plaintiff alleges that Defendant was contractually obligated to ensure that her
personal data was secure, even if Defendant gave it to a third party. (R. 36, Am. Compl. flfl l-17.)
She claims that Defendant's actions and omissions led to her personal information being readily
available to "anyone with an Internet connection" from March 2012to July 2013.
gd ffi3,17-
20.) She also claims that Defendant was aware that the data was not being stored securely,
because Enrolltek emailed Defendant intemet links where the data could be readily accessed, and
yet Defendant allegedly did nothing to remedy this issue. (Id. n 17.) Thereafter, an unknown
identity thief stole Plaintiff
s
personal information and used it to obtain her 2013 tax refund. (1d
fl 38.) Given the timeline of events, and the fact that at least 30 other Dillard's employees
allegedly suffered the same type of identity theft, it is certainly plausible that there is a causal
link between Defendant's failure to ensure the confidentiality of the data and the damages
alleged. That is all that is required at this stage. Alexander,T2l F.3d at 422; see also Remijas
v.
Neiman Marcus Grp., LLC,794 F.3d 688, 696 (7th Cir. 2015) ("It is enough at this stage of the
litigation that [the defendant] admitted that 350,000 cards might have been exposed [to a data
breach] and that it contacted members of the class to tell them they were at risk. Those
admissions and actions by the store adequately raise the plaintiffs' right to relief above the
speculative level." (citing Twombly,550 U.S. at 570)). Therefore, Defendant's motion to dismiss
will
be denied.
t9
l'
CONCLUSION
For the foregoing reasons, Defendant's motion to dismiss (R.
4l)
is DENIED. The parties
are DIRECTED to reevaluate their settlement positions in light of this opinion and exhaust all
efforts to settle the case. The parties shall appear for a status hearing on March 30,2016, at9:45
a.m.
ENTERED:
Chief Judge
United States
Dated: February 23,2016
Castillo

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.